Menu
Audrey Spencer

General Data Protection Regulations

| Published on June 20, 2017

The General Data Protection Regulations (GDPR) will apply in all Member States from 25th May 2018.  

The GDPR contains, amongst other measures, the introduction of a potential sanction of up to 4% of global turnover for breaches of data protection law.

The Information Commissioner has warned that “if your organisation cannot demonstrate that good data protection is a cornerstone of your business policy and practices, you are leaving your organisation open to enforcement action that can damage your public reputation and bank balance”.  

Steps that your business should take to prepare for the General Data Protection Regulations:

  • Engage: meaningful engagement and accountability at senior level is needed to introduce the changes that will be required to ensure compliance with the GDPR.  This will include standing items on board/senior management/executive management meeting agendas over the next year and periodically after May 2018;
  • Inclusion: of Data Protection on corporate risk registers and the like and delegation, as appropriate, to audit or similar oversight committees;
  • Organisation: establish a working group of colleagues from across the organisation who operate at a sufficiently senior level to introduce change within their respective departments/sectors;
  • Assessment: assess whether your organisation requires a Data Protection Officer;
  • Audit: to know what personal data is held, where, why and for how long;
  • Consider: whether any entities outside of the EU are subject to the GDPR;
  • Cleanse: use the results of the audit to challenge the data held with a view to minimising it.  Apply record retention policies.  Secure/destroy all personal data where attention cannot be justified.  Review the media on which personal data is held with a view to improving data security;
  • Review: review all relevant policies, procedures, privacy notices and means by which consents to processing are captured.  Are they GDPR compliant?  Would your organisation be content to publish them?  Are you getting the consents you need to meet your organisational objectives?  How will you manage mandatory breach reporting within the new timescales?  Are procedures in place to meet/strengthen individual’s rights?;
  • Determine: if operating in more than one EU member state, determine which supervisory authority will be the lead supervisory authority under the “one-stop shop” procedure; and
  • Education: for Data Protection to penetrate our corporate thinking, every member of staff must have an awareness of it.

Following the UK’s decision to leave the EU, the General Data Protection Regulations will not directly apply to the UK but if the UK wants to trade with the Single Market on equal terms, it would have to prove “adequacy” by May 2018.  In any event it is likely that the GDPR will be live before the UK leaves Europe. Regardless of Brexit, the aim is to have a data protection regime that is adequate and consistent with Europe.

Audrey Spencer, Associate Solicitor and Head of Employment.

For further advice please contact the commercial team at our offices in Poole on 01202 725400 or Dorchester on 01305 251007.  

Latest News